Hospice settles HIPAA case for $50,000

A stolen laptop has resulted in an Idaho hospice organization paying the Department of Health and Human Services $50,000.

It's the first settlement for a breach of protected health information affecting fewer than 500 individuals under the Health Insurance Portability and Accountability Act Security Rule, according to HHS.

The computer contained health information for 441 patients. The Hospice of North Idaho, located in Hayden, notified HHS it had been stolen in February 2011.

The government said the hospice “did not adequately adopt or implement security measures sufficient to ensure the confidentiality of e-PHI that it created, maintained, and transmitted using portable devices.”

The agreement sends a warning to other healthcare organizations that HHS takes HIPAA seriously, even for small organizations, and that patient health records should be encrypted. It follows other HIPAA cases settled in 2012: The Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. settled with HHS for $1.5 million in September. An unencrypted personal laptop containing the protected health information of patients, such as patient prescription information, had been stolen. The Alaska Department of Health and Human Services settled a HIPAA case with HHS for $1.7 million in June. In that case, an “electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a DHSS computer technician.”

About 60,000 elderly or disabled Medicaid recipients in Louisiana are being told they should expect to lose their benefits in July, and advocates say more than a quarter of them could be forced out of the long-term care facilities they call home.